Information Security Requirements for International Travel (Best Practices)

Traveling outside the United States presents unique information security challenges. The reasons for your travel often require the use of your devices (laptop, tablet, mobile phone) in unfamiliar places that may expose your information to malicious people and software. Beyond the physical aspects, staying digitally connected often means connecting to Wi-Fi in hotels, airports, and conference centers. These networks will expose your device and data while harboring criminals targeting international travelers. In some cases, education networks are broadly targeted by government agencies strictly for the purposes of data theft.

To protect your devices and data, whether personal or Drake-related, please review and abide by the requirements in this document. In addition to information security safeguards, when traveling internationally you also need to consider U.S. export control laws and import restrictions imposed by the destination countries. You also need to be added to an external list of traveling people so that you can connect to our network. 

If you have any questions about these requirements, contact the security & compliance team at informationsecurity@drake.edu

Consider the need to take each device and the data contained on it. If you don’t need to access data stored on your computer, leave it behind. If you must take the device, move all locally-saved data to Teams and/or OneDrive. This will minimize the impact to information if your device is stolen.

1. Submit an Account/Security Request to be added to the traveling list.
2. Confirm whether the devices you’re taking are encrypted, and if your destination country allows the use of encryption. If you’re not able to use encryption at your destination, leave the device at home. Taking an unencrypted device to a foreign country will result in stolen data.
3. Install and configure VPN software. Drake provides a VPN to all faculty and staff upon request, while NordVPN and IPVanish are two of the most trusted commercial options, and both have short and long-term subscription options. Never use a free VPN service.
4. Ensure your accounts and devices are fully secured by confirming:
   • The latest software and patches are installed.
   • All accounts have strong passphrases and multi-factor authentication.
5. Look to see if you’re traveling to a participating eduroam-institution. If you are, you’ll be able to connect directly to the eduroam secure wireless network using your Drake credentials. For a list of eligible locations see https://www.eduroam.org/where/.
6. Review the MFA articles on staying connected while you are out of the country:

   • Using MFA Without Cellular Service or While Traveling (How-to)

   • Setting up Additional MFA Options or Changing your Default Option (How-to)

   • Getting Started Using Text Messages or Phone Calls for Multi-Factor Authentication (How-to)

   • Clearing a User's MFA Settings (How-to)

Be careful:

1. Connect only to known Wi-Fi networks. It’s easy for attackers to set up access points with legitimate-sounding names, hoping to lure travelers to connect while capturing information. This is especially prevalent at cafes, hotel lobbies, and airports. Before you connect, find out the name of the correct network. If you’re connecting to eduroam, the network will only ever be named eduroam.
2. Use VPN software to establish a secure connection. As soon as you’re connected to Wi-Fi, enable a VPN connection to ensure all data transmitted to and from your device is encrypted.
3. Disable Wi-Fi and Bluetooth when not in use. Because attackers imitate legitimate networks, your device may automatically connect to a dangerous network without your knowledge.
4. Never leave your device unattended. Physical access is the easiest way for others to temporarily or permanently access data. Plan to keep the device in your carry-on bag and always keep that bag with you. If you must leave the device, turn it off completely instead of putting it to sleep.
5. Take note or list any passwords used during the trip. Regardless of whether you used them on your device or a public computer, they may be compromised. To be safe, take note of what you used so they can be reset once you return.

Protect your device:

1. Reset any passwords used during the trip. As noted above, consider any credentials used while away to be compromised. Use a trusted computer, whether one at Drake or at home, to reset any passwords used. For example, if you used your Drake ID to access email, reset the password by going to https://password.drake.edu.
2. Scan the device using an anti-malware tool, or have it scanned by ITS by bringing your device(s) to the ITS Support Center.

China: A Special Situation

Travelers to the People's Republic of China have experienced a range of issues.

1. Access to Google and Microsoft’s suite of apps, Wikipedia, and other common sites are often heavily censored, filtered, or blocked completely.
2. Video conferencing connections such as Teams and Zoom may be monitored.
3. VPN connections are often disabled for extended periods.
4. Hotel staff and government officials often access in-room safes. Any device left in a hotel room is not stored securely.
5. While it is possible to take an encrypted device to China, many travelers have reported being “asked” to provide the decryption key when leaving the country.